Skillv1.0.0

ClawScan security

OpenClaw SubAgents Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 4:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (creating and managing OpenClaw subagents) matches the instructions, but the docs instruct storing and using sensitive session keys, running shells/browser/cron/pm2, and using external CLIs (Convex) without declaring the credentials or clear sandboxing — these gaps increase risk and deserve attention before installing.
Guidance: This skill appears to implement exactly what it claims, but it instructs you to create persistent cron/pm2 jobs, run shell/browser actions, and store/use session keys and Convex CLI credentials. Before installing/using it: (1) Confirm where and how session keys and Convex/gateway credentials will be stored — avoid plaintext in shared files; (2) Limit subagent tool permissions and enable per-agent sandboxing (use tools.deny / allowAgents / sandbox settings) so subagents cannot exec arbitrary host commands or read unrelated files; (3) Treat AGENTS.md and workspace directories as sensitive — rotate and restrict access to session keys; (4) Run the notification daemon and crons in a controlled environment (container or restricted user account) if possible; (5) If you need stronger assurance, ask the skill author for explicit documentation of required environment variables/credentials and an audited example deploy manifest showing least-privilege sandboxing. Providing those details would move this assessment toward 'benign'.

Review Dimensions

Purpose & Capability: okThe name and description match what the SKILL.md and reference files actually instruct: editing ~/.openclaw/openclaw.json, creating workspace files (SOUL.md, AGENTS.md, HEARTBEAT.md, memory files), using the sessions_spawn tool, and managing cron/pm2 daemons. All required commands and paths are coherent with an OpenClaw subagent-management skill.
Instruction Scope: concernThe instructions go beyond simple config examples: they explicitly direct agents/operators to run shells and browser scraping, run arbitrary scripts in ~/.openclaw/workspace-<agentId>/scripts/, run npx convex commands, add cron jobs, and run a pm2 notification daemon that reads an AGENT_SESSIONS mapping and uses clawdbot.sessions.send. That scope is plausible for managing subagents but also grants the ability to execute arbitrary code and access local files. The docs also instruct storing and using session keys (sensitive values) inside AGENTS.md/workspace files which can lead to credential exposure if not handled carefully.
Install Mechanism: okNo install spec is present (instruction-only skill). That lowers installation risk — nothing will be fetched or written by the registry installer itself. All persistent actions are operator-driven (cron, pm2, CLI), not implicit installs by the skill bundle.
Credentials: concernThe SKILL.md shows commands that require external credentials (Convex CLI via npx convex, gateway/agent session keys used for sessions.send) but the skill declares no required environment variables or primary credential. The documentation suggests storing session keys in AGENTS.md (and using AGENT_SESSIONS mapping in the notification daemon), which is sensitive. In short: credential access is necessary for full operation but is not declared or guided safely in the skill; that mismatch is a security concern.
Persistence & Privilege: noteThe skill itself is not always-enabled and has no install hooks, but the instructions guide the operator to create persistent background processes (cron heartbeats, pm2 notification daemon, gateway daemon). Those persistent services increase the runtime blast radius (they run continuously and can perform actions over time) — this is expected for an orchestration skill but users should recognise they are being instructed to create persistent system services.